11 Replies - 5713 Views - Last Post: 03 August 2011 - 12:37 PM

How to restrict access to files and folders for visitors?

Posted 01 August 2011 - 08:40 AM

Hello,

How can you make sure that your website visitors can't access anything but the webpages themselves?

For example. Let's say the typical webiste root folder consists of the actual pages(index.php, contactus.php, etc.), and 3 subfolders(images, styles, includes) with relevant files inside of them. So what happens is the user has aceess to any of the files and folders. For example if they type in /styles/style1.css they will see all the contents of that file in plain text, or /includes/security.php, or simply put a folder name into the URL and they'll be presented with FTP view of all files that reside in that particular folder.

How can you restrict the access to those kinds of folders/files to the average visitor? For example if they actually try to access it the website will send them to a custom 404 page always.

Replies To: How to restrict access to files and folders for visitors?

Re: How to restrict access to files and folders for visitors?

Posted 01 August 2011 - 10:38 AM

Well you have to provide the browser access to any CSS files or it won't be able to download them and render the content as desired. Same for images. As far as includes/security.php, as long as the webserver is properly configured to run PHP files through the PHP interpreter, and file that has a .php extension will go through the interpreter and nothing of interest will be provided to the end user (unless you actually echo out sensitive values in the file, which would be supremely dumb).

Re: How to restrict access to files and folders for visitors?

Posted 01 August 2011 - 12:08 PM

JackOfAllTrades, on 01 August 2011 - 10:38 AM, said:

Well you have to provide the browser access to any CSS files or it won't be able to download them and render the content as desired. Same for images. As far as includes/security.php, as long as the webserver is properly configured to run PHP files through the PHP interpreter, and file that has a .php extension will go through the interpreter and nothing of interest will be provided to the end user (unless you actually echo out sensitive values in the file, which would be supremely dumb).

Let the browser access all the css and image files, no problem. But if the user types in the URL bar the path to a specific file(.css,.php) it gets displayed bare naked. That I want not. Instead show them the "File doesn't exist/not found" error.

For example if you go to some particualr website, right click, view source, find a path to a .css file, copy & go to it you get an error explaining that the path is wrong/you shouldn't be accessing this.

This post has been edited by withburninghate: 01 August 2011 - 12:09 PM

Re: How to restrict access to files and folders for visitors?

Posted 01 August 2011 - 05:34 PM

Please provide an example website displaying this behavior. You can't hide the CSS, Javascript, or images from anyone who wants to see it in any event: these are all rendered by the browser, and therefore will be sent to the browser in a state that the browser can render them. I suppose it may be possible to prevent the download of these files by using rewrite rules and HTTP referrers, but referrers can be easily faked. And no properly-configured web server will provide raw PHP code to a bare request for a .php file.

Re: How to restrict access to files and folders for visitors?

Posted 02 August 2011 - 07:20 AM

JackOfAllTrades, on 01 August 2011 - 05:34 PM, said:

Please provide an example website displaying this behavior. You can't hide the CSS, Javascript, or images from anyone who wants to see it in any event: these are all rendered by the browser, and therefore will be sent to the browser in a state that the browser can render them. I suppose it may be possible to prevent the download of these files by using rewrite rules and HTTP referrers, but referrers can be easily faked. And no properly-configured web server will provide raw PHP code to a bare request for a .php file.

Any website, even this message board.

Maybe I laid it out wrong. I don't know how to make it any clearer.
I believe it has to do something with htaccess and mod_access.

Re: How to restrict access to files and folders for visitors?

Posted 03 August 2011 - 05:42 AM

Though it would be nice to implement a mod that prevented tree structure from generating or even something to auto-gen blank index.php files in empty directories. Then again, this is beyond the scope of my current knowledge so I have no idea how to go about implementing such a thing.